AI agent for mobile reverse engineering.

Automated cryptographic analysis, runtime tracing, and SSL pinning bypass for Android applications. Local-first security research toolkit powered by Claude.

$npm i -g morrigan

AndroidCrypto replicationRuntime tracingPlanning modeSSL pinningAnti-debugAnti-tamperWorkspace artifactsLocal onlyBYOK

002 — Specialty

Morrigan is built for security researchers who have already lived inside IDA, Frida, and JADX — and want their slow work done in hours.

003 — Selected features

Crypto replication, traced and validated.

01 / Crown jewelCrypto replication

// hooked javax.crypto.Cipher.doFinal
→ input  b"5c 8a 91 ff 02 18 …"
→ output b"3a 7e 9c 22 4d a1 …"
// 12 vectors collected
→ python crypto.py
→ validate vs runtime  PASS · 12/12

From bytecode to a working Python module.

Static search finds the candidate routines. Runtime tracing collects inputs and outputs. The agent writes a Python replica and validates it byte-for-byte before it lands on disk.

02 / Approval-firstPlanning mode

// proposed plan, 4 steps
1. apktool d target.apk
2. jadx-cli — sources/
3. frida -U -f com.target.app
4. collect → crypto.py

→ approve · edit · cancel

Every active step is proposed before it runs.

Nothing executes on your device, your APK, or your filesystem without your sign-off. Plans are inspectable, editable, and rerunnable from the workspace.

03 / Local onlyPrivacy model

// vendor heartbeat — 9 fields
license_id        hashed
account_id        anonymous
product_version   1.0.x
hw_fingerprint    hashed
activation_ts     …
last_check_ts     …
build_id          …
os_type           windows 11
license_status    active

Nine fields. Nothing else.

APKs, decompiled code, Frida logs, generated scripts, project names, endpoints, LLM prompts — none of it touches the vendor. Local-first. BYOK Anthropic.

04 / WorkspaceArtifacts

~/.morrigan/projects/com.target/
├── apk/           target.apk + splits
├── decompiled/    jadx + apktool out
├── hooks/         12 frida scripts
├── traces/        128 captures
├── crypto.py      validated module
├── plan.md
└── session.md     markdown report

Every artifact stays on disk, yours to edit.

No hidden state inside the agent. Generated Frida scripts and Python modules are inspectable, version-controllable, and reusable across projects.

004 — Roadmap

From the private beta to broader release.

Currently shipping
Private paid beta · 5–20 users · CIS region

NowPrivate paid beta — manual onboarding.v0.4 · Windows

Q3 2026Public beta, self-serve activation.v0.6 · CIS

Q4 2026Team licensing, license portal.v0.8

2027Native .so crypto analysis · custom-crypto traces.v1.0 · EU / US

LateriOS · offline activation · private-LLM support.v1.x

005 — Capabilities

A toolchain you already trust, driven by the agent.

A · Static analysis

Decompile, index, search.

Bundled apktool + JADX, driven by the agent. Static search for crypto usage, network-stack indicators, and basic protection markers.

B · Runtime tracing

Hooks, generated on demand.

Bundled hook template library + dynamic generation. Spawn or attach. Crash recovery built in. Captures fed straight to the replication pipeline.

C · Crypto replication

A Python module, validated.

The crown jewel. Inputs and outputs collected at runtime become test vectors; the generated Python is validated byte-for-byte before it ships.

D · SSL pinning

Authorized bypass assistance.

Generated hooks for the common pin-check patterns. For authorized testing only. Inspectable, editable, in your workspace.

E · Session memory

Plans, traces, reports.

Workspace artifacts persist across sessions. Markdown reports summarise what the agent did, what worked, and what it parked for review.

F · Approval-first

Nothing runs without sign-off.

Every active step is proposed first. The agent waits. You read, edit, approve. Then execution. This is the difference between automation and autonomy.

Replicate Android crypto. Locally.

006 — Get access

→ Download for Windows → Email hello@morrigan.dev → Read the docs